Project Status (experimental to stable?) #104
Comments
|
I’d hope for security that corepack starts checking integrity hashes before it’s enabled by default. (Edit: This was briefly fixed, but it was then reversed by #134 and remains a problem.) |
|
Visiting this GitHub issue from twitter thread. I'd asked on Yarn Discord in Jan'22 if we should propose to make it stable in Node.js 18. There was no follow-up though. Some useful links:
@arcanis has been the champion and lead author for corepack, along with other maintainers of yarn. I think we should revive this GitHub issue after yarn v4 release. |
Mostly just #93 - many Node contributors expressed interest in seeing Corepack have a slightly more dynamic behavior, so that it stay up-to-date with minor/patch versions from the package managers (look at the thread for details, but in short it's currently painful for Node to have to make new releases each time npm has a security update). It makes dealing with #37 a little harder though. Perhaps package managers releases could be signed instead, although it requires infra and can be be difficult to do for package managers that aren't distributed as a single JS bundle (I believe only Yarn is).
Apart from the one described above, I'd personally like to have feedback from one or more cloud provider confirming that Corepack has all the tools they need to build a proper integration that doesn't break their customers' setup. That's something Vercel can certainly help with!
Corepack has value for Yarn and pnpm users, and it'd be too bad if we were blocked going forward by something we have no control over, so in my opinion I'd tend to say it's not needed, although it would be nice to have. Note that technically Corepack already supports npm, it's just not part of the default distribution until they decide to enable it. So when that happens it will be fairly fast and won't require much engineering work.
My hope (and goal when building this project) is that |
We announced support today https://twitter.com/vercel_changes/status/1547581626279792640 I'll relay any feedback from our customers as they begin adoption 👍 In my own testing, the biggest problem I see today is the "Usage Error: This project is configured to use ". This happens when I run Update: I created #157 |
|
Checking in here again. I can say that all outstanding issues are complete and everyone who tries out corepack is very happy with it. Its solving real problems. For example, npm changed behavior of peer dependencies in That being said, the one thing missing today is default support for npm when I run |
That's really good to hear!
I would assume that, on the contrary, Corepack being experimental would be a blocker to switch to using it for providing npm binaries with Node.js installation (instead of vendoring npm in the node repository like we do today). |
|
I wouldn't consider signing releases a blocker to going stable. It would be a nice feature though. Correct me if I'm wrong, but I don't think Unless the |
When discussing with other devs, I've heard a few concerns regarding the decrease of security if Node.js doesn't ship npm anymore and instead expect users to download the latest version which could have been tampered with. IMO when we call Corepack stable, the next logical step is to stop bundling npm by default with Node.js in favor of Corepack, and the lack of signature verification might be a problem on that aspect.
npm, pnpm, and Yarn v1.x are pulled from the npm registry, Yarn Berry is pulled from their own server. But it doesn't have anything to do with signed releases, right? |
|
This issue needs to be fixed before going stable: |
|
@styfle What prevents corepack to be stable in Node20? |
|
Mostly time. On my side I'd like to add signing support to Yarn before asking for it to become stable, but I'm currently focusing on another Node PR. Perhaps in the meantime we can start to gather numbers / quotes demonstrating Corepack's usefulness in the wild ? I don't know what else would help the TSC make a decision, when comes the time. |
|
I believe there's a pretty major licensing issue that needs to be resolved as well. |
|
What are you referring to? That doesn't ring a bell. |
|
My understanding is that corepack's npm "jumper" thing violates npm's license. I'm under the impression it's been brought to your attention in the past, and I'm pretty sure folks on the TSC are aware of it as well. |
|
I for one am not aware of it, do you have a link to a discussion that explains what's the issue? |
I can't find any thread here or any comment in the original PRs, and I don't have any recollection of such issue. It seems a little strange considering that npm isn't officially covered by Corepack at the moment; if you have more pointers it'd be useful to redirect them in a separate thread. |
|
I'll try to track something down that mentions it. |
|
Does the “jumper” modify the npm CLI source code or just invoke it? IANAL, but it sounds like the license doesn’t apply if the jumper is just invoking
|
@arcanis I run Node.js support for Heroku. I've recently built a buildpack integration for Corepack (here). I'm pretty eager to expand support for corepack. The areas where I have the most concern is around package manager verification. It looks like #37 is a great start, but for folks wishing to pin to a non-default package manager version, the user has to determine and specify the checksum. Users pinning to a non-default version without specifying a checksum might be surprised that the package manager installed by corepack wasn't verified in any way. I would hope to see |
I don't think that can ever happen, we would need to have a trusted source for the checksum hashes, and AFAIK that is not something we can have without trusting HTTPS and a remove server (so no better than what we are doing now), or bundle a list of accepted hashes within Corepack which would make it impossible for package manager authors to release a fix without also forcing an update upon Corepack (that's not acceptable, Corepack should let you use the most patched version always). |
Ah, fair point. I think #10 does make more sense here, then. |
|
@ljharb Did you ever find anything about this licensing issue? |
|
Revisiting this request to make corepack stable, as both yarn and pnpm recommend their users to use corepack:
Some downstream dependencies, like GitHub Action to setup node, still do not support corepack actions/setup-node#651 |
|
Node.js TSC in the process of discussing and taking action for the status of the project. For more information, I recommend reading the meeting notes from January 10, 2024. nodejs/TSC#1490 |
|
The discussion is continuing in this issue: nodejs/node#50963 Me watching from the sidelines: https://media2.giphy.com/media/FibBZ3bFGGcoXCB1kd/giphy.gif |
|
Personal opinion (does not represent my employer):
|
I don't think we can guarantee that, and also I think package managers should be free to pick the package registry they want – I mean it is the case atm, Yarn and PNPM both default to the public npm registry, but future additions to Corepack might want to supply their own registry or whatever. IMO it's not reasonable to expect Corepack maintainers to audit the candidate to make any guarantees on what the software is doing. |
I can't find any details on the current project status such as anything that needs to be solved before going stable.
corepack enableor will that always be a requirement?The text was updated successfully, but these errors were encountered: